Microsoft has disclosed CVE-2026-49798, a critical use-after-free flaw in the Windows Kernel that lets a local attacker elevate privileges to gain full system control.
What Is It
CVE-2026-49798 is a use-after-free vulnerability (CWE-416) in the Windows Kernel. Per Microsoft's description, the flaw "allows an unauthorized attacker to elevate privileges locally." It carries a CVSS 3.1 base score of 9.3 (CRITICAL) with the vector AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, meaning local access, low attack complexity, no privileges or user interaction required, and a changed scope with high confidentiality, integrity, and availability impact. The CVE was published July 14, 2026, and is currently listed by NVD as "Undergoing Analysis."
Why It Matters
Kernel-level use-after-free bugs are prized by attackers because a successful exploit yields SYSTEM privileges. This vulnerability requires no prior privileges and no user interaction, and the "scope: changed" rating indicates the impact reaches beyond the initially compromised component. In practical terms, an attacker who already has any foothold on a machine, for example, through phishing or a lower-privilege exploit, could chain this flaw to take complete control of the host. The 9.3 score places it among the most severe elevation-of-privilege issues.
What's Vulnerable
The affected products span the current Windows fleet across 32-bit, x64, and ARM64 platforms, including:
- Windows 10 (1607, 1809, 21H2, 22H2)
- Windows 11 (24H2, 25H2, 26H1)
- Windows Server 2012 and 2012 R2 (including Server Core)
- Windows Server 2016, 2019, 2022, and 2025 (including Server Core)
Each product is affected below a specific fixed build. Because Windows 11 24H2 and Windows Server 2025 share the same base build 26100, they take the same fixed build, for example, both below 10.0.26100.8875, while Windows 11 25H2, which is built on 26200, is fixed below 10.0.26200.8875.
Patch Status
Microsoft has assigned fixed build numbers for every affected product, indicating updates are available. Administrators should apply the July 2026 Windows security updates to move each system to or above the listed fixed build. No CISA KEV entry was supplied with this record, so active exploitation is not confirmed by KEV at this time.
Sources
- Microsoft Security Response Center, CVE-2026-49798
- NVD, CVE-2026-49798